Content

W32/Crog.worm

Type
Virus
SubType
Worm
Discovery Date
03/07/2005
Length
17,429 bytes (MEW)
Minimum DAT
4441 (03/07/2005)
Updated DAT
4684 (01/27/2006)
Minimum Engine
5.1.00
Description Added
03/07/2005
Description Modified
03/07/2005 9:54 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a worm written in MSVB, and packed with MEW, bearing the following characteristics:

  • propagates via MSN Instant Messenger
  • propagates via eMule P2P networks
  • modifies various Registry settings on the victim machine, lowering security settings
  • overwrites the local HOSTS file, preventing access to several security-related domains
  • terminates several processes (security-related applications)

This worm was detected as W32/Generic.m briefly in the beta DATs .

Symptoms

Installation

When run, the worm copies itself to the victim machine using several filenames:

  • %sysdir%\formatsys.exe
  • %sysdir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

Additional copies of the worm are dropped to the root of the system drive, using the following filenames:

  • Crazy frog gets killed by train!.pif
  • Annoying crazy frog getting killed.pif
  • See my lesbian friends.pif
  • LOL that ur pic!.pif
  • My new photo!.pif
  • Me on holiday!.pif
  • The Cat And The Fan piccy.pif
  • How a Blonde Eats a Banana...pif
  • Mona Lisa Wants Her Smile Back.pif
  • Topless in Mini Skirt! lol.pif
  • Fat Elvis! lol.pif
  • Jennifer Lopez.scr

A series of keys are added to the Registry to hook system startup. The following keys are modified:

  • HKEY_CURRENT_USER\Microsoft\Windows\
    CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
The names of the added keys are one of the following:
  • ltwob
  • serpe
  • avnort

The values are the filename the worm has installed as:

  • %windir%\formatsys.exe
  • %windir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

The worm also drops a HTML file to the root of the system drive, and loads it in the default browser. This HTML page loads a counter and an image (JPG) from a remote server:

  • h t tp://frog.0catch.com/(blocked)big_deal.jpg
  • h t tp://udjc.com/(blocked)
     (this server is connected to for loading counter)

A text file is also dropped to the root of the system drive. This file contains a message intended for the author of W32/Laris.worm.

Modification of local HOSTS file

The local HOSTS file is overwritten in an attempt to redirect (to 64.233.167.104) access to the following domains:

  • www.symantec.com
  • www.sophos.com
  • www.mcafee.com
  • www.viruslist.com
  • www.f-secure.com
  • www.avp.com
  • www.kaspersky.com
  • www.networkassociates.com
  • www.ca.com
  • www.my-etrust.com
  • www.nai.com
  • www.trendmicro.com
  • www.grisoft.com
  • securityresponse.symantec.com
  • symantec.com
  • sophos.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • viruslist.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • avp.com
  • networkassociates.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • grisoft.com
  • sandbox.norman.no
  • www.pandasoftware.com
  • uk.trendmicro-europe.com

Lowering Security Settings

The worm changes the values of the following Registry keys, setting both to 0:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableConfig" = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableSR" = 0

Process Termination

The worm terminates any of the following processes if they are running:

  • apvxdwin.exe
  • atupdater.exe
  • aupdate.exe
  • autodown.exe
  • autotrace.exe
  • autoupdate.exe
  • avconsol.exe
  • avengine.exe
  • vpupd.exe
  • avsynmgr.exe
  • avwupd32.exe
  • avxquar.exe
  • bawindo.exe
  • blackd.exe
  • ccapp.exe
  • ccevtmgr.exe
  • ccproxy.exe
  • ccpxysvc.exe
  • cfiaudit.exe
  • defwatch.exe
  • drwebupw.exe
  • escanh95.exe
  • escanhnt.exe
  • firewall.exe
  • frameworkservice.exe
  • icssuppnt.exe
  • icsupp95.exe
  • luall.exe
  • lucoms~1.exe
  • mcagent.exe
  • mcshield.exe
  • mcupdate.exe
  • mcvsescn.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • navapsvc.exe
  • navapw32.exe
  • nisum.exe
  • nopdb.exe
  • nprotect.exe
  • nupgrade.exe
  • outpost.exe
  • pavfires.exe
  • pavproxy.exe
  • pavsrv50.exe
  • rtvscan.exe
  • rulaunch.exe
  • savscan.exe
  • shstat.exe
  • sndsrvc.exe
  • symlcsvc.exe
  • Update.exe
  • updaterui.exe
  • vshwin32.exe
  • vsstat.exe
  • vstskmgr.exe
  • cmd.exe
  • msconfig.exe
  • msdev.exe
  • ollydbg.exe
  • peid.exe
  • petools.exe
  • regedit.exe
  • reshacker.exe
  • taskmgr.exe
  • w32dasm.exe
  • winhex.exe
  • wscript.exe

The worm also looks for any running applications that contain one of the several strings in their window title, terminating them if found. The strings are again relevant to applications intended for security.

Method of Infection

MSN IM Propagation

The worm attempts to send itself to recipients via MSN Instant Messenger, using one of the filenames it installs itself as on the victim machine.

P2P Propagation

The worm also copies itself to the following folders in an attempt to propagate through file-sharing networks:

  • %SYSTEMDRIVE%\My Shared Folder\
  • %PROGRAMFILES%\eMule\Incoming\
  • %USERFOLDER%\Shared\

The following filenames are used:

  • Messenger Plus! 3.50.exe
  • MSN all version polygamy.exe
  • MSN nudge bomb.exe

Propagation to CDs

In an attempt to propagate to CDs that are burnt from the victim machine, the worm copies itself to the following folder as AUTORUN.EXE:

  • %USERFOLDER%\Local Settings\Application Data\Microsoft\ CD Burning\autorun.exe

It also updates (or creates) an AUTORUN.INF file in this folder to contain:

  • OPEN=AUTORUN.EXE

(Where %USERFOLDER% represents the folder %SYSTEMDRIVER%\Documents and Settings\%USERNAME%\ .)

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • IM-Worm.Win32.Sumom.a (Kasp)
  • W32.Serflog.A (Symantec)
  • WORM_FATSO.A (Trend)

Characteristics

Characteristics -

This detection is for a worm written in MSVB, and packed with MEW, bearing the following characteristics:

  • propagates via MSN Instant Messenger
  • propagates via eMule P2P networks
  • modifies various Registry settings on the victim machine, lowering security settings
  • overwrites the local HOSTS file, preventing access to several security-related domains
  • terminates several processes (security-related applications)

This worm was detected as W32/Generic.m briefly in the beta DATs .

Symptoms

Symptoms -

Installation

When run, the worm copies itself to the victim machine using several filenames:

  • %sysdir%\formatsys.exe
  • %sysdir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

Additional copies of the worm are dropped to the root of the system drive, using the following filenames:

  • Crazy frog gets killed by train!.pif
  • Annoying crazy frog getting killed.pif
  • See my lesbian friends.pif
  • LOL that ur pic!.pif
  • My new photo!.pif
  • Me on holiday!.pif
  • The Cat And The Fan piccy.pif
  • How a Blonde Eats a Banana...pif
  • Mona Lisa Wants Her Smile Back.pif
  • Topless in Mini Skirt! lol.pif
  • Fat Elvis! lol.pif
  • Jennifer Lopez.scr

A series of keys are added to the Registry to hook system startup. The following keys are modified:

  • HKEY_CURRENT_USER\Microsoft\Windows\
    CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
The names of the added keys are one of the following:
  • ltwob
  • serpe
  • avnort

The values are the filename the worm has installed as:

  • %windir%\formatsys.exe
  • %windir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

The worm also drops a HTML file to the root of the system drive, and loads it in the default browser. This HTML page loads a counter and an image (JPG) from a remote server:

  • h t tp://frog.0catch.com/(blocked)big_deal.jpg
  • h t tp://udjc.com/(blocked)
     (this server is connected to for loading counter)

A text file is also dropped to the root of the system drive. This file contains a message intended for the author of W32/Laris.worm.

Modification of local HOSTS file

The local HOSTS file is overwritten in an attempt to redirect (to 64.233.167.104) access to the following domains:

  • www.symantec.com
  • www.sophos.com
  • www.mcafee.com
  • www.viruslist.com
  • www.f-secure.com
  • www.avp.com
  • www.kaspersky.com
  • www.networkassociates.com
  • www.ca.com
  • www.my-etrust.com
  • www.nai.com
  • www.trendmicro.com
  • www.grisoft.com
  • securityresponse.symantec.com
  • symantec.com
  • sophos.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • viruslist.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • avp.com
  • networkassociates.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • grisoft.com
  • sandbox.norman.no
  • www.pandasoftware.com
  • uk.trendmicro-europe.com

Lowering Security Settings

The worm changes the values of the following Registry keys, setting both to 0:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableConfig" = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableSR" = 0

Process Termination

The worm terminates any of the following processes if they are running:

  • apvxdwin.exe
  • atupdater.exe
  • aupdate.exe
  • autodown.exe
  • autotrace.exe
  • autoupdate.exe
  • avconsol.exe
  • avengine.exe
  • vpupd.exe
  • avsynmgr.exe
  • avwupd32.exe
  • avxquar.exe
  • bawindo.exe
  • blackd.exe
  • ccapp.exe
  • ccevtmgr.exe
  • ccproxy.exe
  • ccpxysvc.exe
  • cfiaudit.exe
  • defwatch.exe
  • drwebupw.exe
  • escanh95.exe
  • escanhnt.exe
  • firewall.exe
  • frameworkservice.exe
  • icssuppnt.exe
  • icsupp95.exe
  • luall.exe
  • lucoms~1.exe
  • mcagent.exe
  • mcshield.exe
  • mcupdate.exe
  • mcvsescn.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • navapsvc.exe
  • navapw32.exe
  • nisum.exe
  • nopdb.exe
  • nprotect.exe
  • nupgrade.exe
  • outpost.exe
  • pavfires.exe
  • pavproxy.exe
  • pavsrv50.exe
  • rtvscan.exe
  • rulaunch.exe
  • savscan.exe
  • shstat.exe
  • sndsrvc.exe
  • symlcsvc.exe
  • Update.exe
  • updaterui.exe
  • vshwin32.exe
  • vsstat.exe
  • vstskmgr.exe
  • cmd.exe
  • msconfig.exe
  • msdev.exe
  • ollydbg.exe
  • peid.exe
  • petools.exe
  • regedit.exe
  • reshacker.exe
  • taskmgr.exe
  • w32dasm.exe
  • winhex.exe
  • wscript.exe

The worm also looks for any running applications that contain one of the several strings in their window title, terminating them if found. The strings are again relevant to applications intended for security.

Method of Infection

Method of Infection -

MSN IM Propagation

The worm attempts to send itself to recipients via MSN Instant Messenger, using one of the filenames it installs itself as on the victim machine.

P2P Propagation

The worm also copies itself to the following folders in an attempt to propagate through file-sharing networks:

  • %SYSTEMDRIVE%\My Shared Folder\
  • %PROGRAMFILES%\eMule\Incoming\
  • %USERFOLDER%\Shared\

The following filenames are used:

  • Messenger Plus! 3.50.exe
  • MSN all version polygamy.exe
  • MSN nudge bomb.exe

Propagation to CDs

In an attempt to propagate to CDs that are burnt from the victim machine, the worm copies itself to the following folder as AUTORUN.EXE:

  • %USERFOLDER%\Local Settings\Application Data\Microsoft\ CD Burning\autorun.exe

It also updates (or creates) an AUTORUN.INF file in this folder to contain:

  • OPEN=AUTORUN.EXE

(Where %USERFOLDER% represents the folder %SYSTEMDRIVER%\Documents and Settings\%USERNAME%\ .)

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A